b"                                                              C-IN-OSM-0095-2002-A\n\n\n             United States Department of the Interior\n                             Office of Inspector General\n                                  Washington, D.C. 20240\n\n\n                                                                          March 17, 2003\n\nMemorandum\n\nTo:        Director, Office of Surface Mining Reclamation and Enforcement\n\n\nFrom:      Roger La Rouche\n           Assistant Inspector General for Audits\n\nSubject:   Management Issues Identified During the Audit of the Office of Surface\n           Mining Reclamation and Enforcement\xe2\x80\x99s Fiscal Year 2002 Financial\n           Statements (No. 2003-I-0035)\n\n        We contracted with KPMG LLP, an independent certified public accounting firm,\nto audit the Office of Surface Mining Reclamation and Enforcement\xe2\x80\x99s (OSM) financial\nstatements as of September 30, 2002 and for the year then ended. In conjunction with its\naudit, KPMG noted certain matters involving internal control and other operational\nmatters that should be brought to management\xe2\x80\x99s attention. These matters, which are\ndiscussed in the attached letter, are in addition to those reported in KPMG\xe2\x80\x99s audit report\non OSM\xe2\x80\x99s financial statements (Report No. 2003-I-0022) and do not constitute reportable\nconditions as defined by the American Institute of Certified Public Accountants.\n\n        The recommendations will be referred to the Assistant Secretary for Policy,\nManagement and Budget for tracking of implementation, therefore your response should\nbe provided directly to that office. If you have any questions regarding KPMG\xe2\x80\x99s letter,\nplease contact me at (202) 208-5512.\n\n       Section 5(a) of the Inspector General Act (5 U.S.C. App. 3) requires the Office of\nInspector General to list this report in its semiannual report to the Congress.\n\n\n\nAttachment\n\ncc:     Assistant Secretary for Land and Minerals Management\n        Chief Financial Officer, Office of Surface Mining Reclamation and Enforcement\n        Director, Office of Financial Management\n        Audit Liaison Officer, Land and Minerals Management\n        Audit Liaison Officer, Office of Surface Mining Reclamation and Enforcement\n        Focus Leader for Management Control and Audit Followup,\n         Office of Financial Management\n\x0c                                                                                  ATTACHMENT\n\n\n\n\n      Suite 2700\n      707 Seventeenth Street\n      Denver, CO 80202\n\n\n\n\nNovember 15, 2002\n\n\nThe Director of the Office of Surface Mining Reclamation and Enforcement\n and the Inspector General of the Department of the Interior:\n\nWe have audited the financial statements of the Office of Surface Mining Reclamation and Enforcement\n(OSM) for the year ended September 30, 2002, and have issued our report thereon dated November 15,\n2002. In planning and performing our audit of the financial statements, we considered internal control in\norder to determine our auditing procedures for the purpose of expressing our opinion on the financial\nstatements. An audit does not include examining the effectiveness of internal control and does not provide\nassurance on internal control. The maintenance of adequate internal control designed to fulfill control\nobjectives is the responsibility of management. Because of inherent limitations in internal control, errors or\nfraud may nevertheless occur and not be detected. Also, controls found to be functioning at a point in time\nmay later be found deficient because of the performance of those responsible for applying them, and there\ncan be no assurance that controls currently in existence will prove to be adequate in the future as changes\ntake place in the organization. We have not considered internal control since the date of our report.\n\nDuring our audit we noted certain matters involving internal control and other operational matters that are\npresented for your consideration. These comments and recommendations, all of which have been discussed\nwith appropriate members of management, are intended to improve internal control or result in other\noperating efficiencies and are summarized below. In addition to our 2002 comments and recommendations,\nwe have reported the status of prior year management letter comments. Their current status is addressed in\nthe progress on prior year management letter recommendations section of this letter.\n\nNetwork Security\nOur audit revealed areas relative to the OSM\xe2\x80\x99s network security management that require improvement in\norder to enhance security effectiveness from both external and internal perspectives. Network security\ncontrol weaknesses were identified as indicated below.\n\nExternally:\n\na)    Network Software Implementation \xe2\x80\x93 The OSM\xe2\x80\x99s Fee Billing and Collection System (FEEBACS)\n      back-end database financial software is placed on a host that also houses a publicly accessible\n      application known as AVS. The FEEBACS back-end application is not intended to be publicly\n      accessible and, by design, the FEEBACS front-end application is accessible by a web page. The\n      AVS system is publicly accessible via TELNET protocol without TCP wrappers and SSH; screen\n      shots indicate this is the case externally from across the Internet. Because the host is publicly\n      accessible, its IP address can be found from publicly available information. The TELNET session\n      without TCP wrappers and SSH is \xe2\x80\x9cin the clear\xe2\x80\x9d and is thus vulnerable to successful \xe2\x80\x9csniffing\xe2\x80\x9d of\n      login ID and password credentials from anywhere on the Internet.\n\n\n                  KPMG, LLP. KPMG, LLP a U.S. limited liability partnership, is\n                  a member of KPMG International, a Swiss association.=\n\x0cb)    Although AVS is a \xe2\x80\x9cread only\xe2\x80\x9d application for the majority of users, there are users with \xe2\x80\x9cwrite\xe2\x80\x9d\n      access. As such, the potential exists for an unauthorized user or attacker to obtain legitimate access\n      credentials that convey \xe2\x80\x9cwrite\xe2\x80\x9d privileges to an area on the shared host. Those write privileges may\n      be used in combination with known Unix exploits and/or malicious scripts to escalate a\n      compromised account to higher levels of access. This may, in turn, allow the attacker to exit the\n      application and establish a session with the operating system of the shared host, which in turn\n      cascades the risk of compromise to the FEEBACS back-end database files.\n\nc)    In addition, an exploitable vulnerability was found during an external scan against a web server host.\n      Specifically, we noted predictable TCP Packet Sequence Numbers vulnerability, which reveals the\n      software implementation of the TCP/IP stack on the host and uses a faulty random number generator\n      and should be patched with an updated version. If successfully exploited, this vulnerability can\n      escalate the attacker to a logical position of being able to acquire unauthorized access to the\n      operating system either directly or by \xe2\x80\x9cspoofing.\xe2\x80\x9d\n\nInternally:\n\na)    Certain hosts\xe2\x80\x99 operating systems installed with common security vulnerabilities.\n\nb)    Null session connections allowing enumeration of users and shares.\n\nc)    Weak password files (Denver downtown and Washington DC locations), which allowed access to\n      the password file for the host.\n\nd)    Three noncurrent accounts on the FEEBACS web server.\n\nThe weaknesses identified can permit an attacker to \xe2\x80\x9csniff\xe2\x80\x9d TELNET logins onto the host platform, thus\nobtaining a means of accessing the AVS/FEEBACS back-end host with some level of authorized\n\xe2\x80\x9cprivilege.\xe2\x80\x9d If the FEEBACS database is not properly \xe2\x80\x9clocked down\xe2\x80\x9d (i.e., host based IDs, auditing turned\non, nonshared administrative accounts), the probability exists that an attacker with intermediate skills can\ncompromise the AVS application, escalate the privilege set, and successfully attack/compromise the\nFEEBACS back-end database.\n\nAlthough many of the vulnerabilities identified above do not directly impact financial systems, the\npresence of vulnerabilities on nonfinancial systems, increases the risk of penetration to the network overall.\n\nRecommendation\n\nThe OSM should take the following steps to improve its network security posture:\n\na)    Review current network configuration and apply all current patches.\n\nb)    Improve frequency of network configuration and monitoring.\n\x0cIn addition, to correct the immediate vulnerabilities identified, the OSM should:\n\nc)    Separate the FEEBACS back-end database from the AVS and place the FEEBACS back-end\n      database on a separate processing platform that does not host other \xe2\x80\x9cpublicly available\xe2\x80\x9d applications.\n      An alternative solution may be to require that FEEBACS users, with \xe2\x80\x9cwrite\xe2\x80\x9d access, use SecureShell\n      when accessing the application.\n\nd)    Place the FEEBACS back-end database host in an internally accessible only zone on the OSM\n      intranet.\n\ne)    Implement processes to identify and remove in a timely manner all noncurrent accounts on the\n      FEEBACS web server.\n\nOSM Response\n\nThe OSM concurs with the above finding and recommendation and offers the following responses to\nspecific recommendations. Item (a), \xe2\x80\x9cReview current network configuration and apply all current patches,\xe2\x80\x9d\nand item (b), \xe2\x80\x9cImprove frequency of network configuration and monitoring,\xe2\x80\x9d both apply to the findings\nidentified under the heading of \xe2\x80\x9cInternally.\xe2\x80\x9d\n\nWith regard to the specific findings in this category, item (a), \xe2\x80\x9cCertain hosts\xe2\x80\x99 operating systems installed\nwith common security vulnerabilities\xe2\x80\x9d and item (b) \xe2\x80\x9cNull session connections allowing enumeration of\nusers and shares,\xe2\x80\x9d both refer to four conditions observed during the internal penetration testing. The first\ncondition is known as IP Forwarding and was discovered to be active on one of the Division of Financial\nManagement\xe2\x80\x99s (DFM) Hewlett-Packard 3000 mini-computers. This was a configuration problem and was\nresolved on August 20, 2002. The second condition has to do with FTP on the same Hewlett-Packard 3000\nmini-computer. KPMG is concerned that the version of FTP on this mini-computer is patched to a level\nthat is greater than or equal to WFTPD 2.4.1rc11. The OSM contacted the vendor (Hewlett-Packard) and\nreceived documentation that the version of FTP in use on this server is current, and that all known CERTs\nfor FTP are covered in this version.\n\nThe third condition has to do with SNMP on this same Hewlett-Packard Server. Again, the OSM contacted\nthe vendor (Hewlett-Packard) and discovered that the current version of SNMP does not comply with all\nissued CERT\xe2\x80\x99s for SNMP. As of November 7, 2002 an updated version of SNMP for the Hewlett-Packard\n3000 that does comply with all issued CERT\xe2\x80\x99s became available. This patch will be implemented by the\nend of December 2002.\n\nThe fourth condition observed was KPMG\xe2\x80\x99s ability to enumerate user names, shares and policy on some of\nthe Windows based servers used throughout the OSM. Upon further investigation by the DFM Systems\nstaff and staff at Microsoft Corporation, it was discovered that the Windows based servers in use at the\nDFM were all patched for this vulnerability. In fact, closer examination of the detailed penetration reports\nrevealed that the Windows based servers at the DFM would enumerate the user names but not the shares or\nthe policy. This is the current \xe2\x80\x9cstate of the art\xe2\x80\x9d for this Windows operating system and there is nothing\nmore that the DFM can do at this time. The DFM will continue to monitor the availability of patches to\nfurther secure this vulnerability.\n\nOSM Response, Continued\n\nItem (c) from the internal penetration testing, \xe2\x80\x9cWeak password files (Denver downtown and Washington\nDC locations) which allowed access to the password file for the host,\xe2\x80\x9d has been resolved. The\nadministrators for these platforms were informed of this condition shortly after it was identified and steps\nhave been taken to strengthen these passwords.\n\x0cItem (d) from the internal penetration testing, \xe2\x80\x9cThree noncurrent accounts on the FEEBACS web server,\xe2\x80\x9d\nhas been resolved. During their testing, KPMG noticed that three user accounts were active on this web\nserver when the individuals were no longer at the DFM. These user accounts were for the developers of the\nsystem. At the time of the audit, sporadic development work was still occurring on this web server. While\nthis in no way supports leaving these user accounts active while the developers were not actively engaged\nin software development, it does provide a reason for why this situation existed. Since that time the DFM\nhas strengthened its procedure for establishing and maintaining user accounts on the web server in such a\nway that this situation has been eliminated. This satisfies recommendation (e) \xe2\x80\x9cImplement processes to\nidentify and remove in a timely manner all noncurrent accounts on the FEEBACS web server.\xe2\x80\x9d\n\nRecommendation (c) states \xe2\x80\x9cSeparate the FEEBACS Back-end database from the AVS and place the\nFEEBACS Back-end database on a separate processing platform that does not host other \xe2\x80\x9cpublicly\navailable\xe2\x80\x9d applications. An alternative solution may be to require that FEEBACS users, with \xe2\x80\x9cwrite\xe2\x80\x9d\naccess, use SecureShell when accessing the application.\xe2\x80\x9d OSM would like to note that all of the FEEBACS\nusers that have \xe2\x80\x9cwrite\xe2\x80\x9d access are stationed at DFM. Therefore, there are no users with \xe2\x80\x9cwrite\xe2\x80\x9d access that\nare traversing the Internet to gain access to this application. For this reason, the OSM is somewhat\ncomfortable with the fact that FEEBACS and AVS reside on the same physical platform. The OSM will be\ninvestigating a number of options for further improving the security of these systems over the next several\nmonths and will be evaluating the cost-effectiveness of each.\n\nWith regard to recommendation (d), \xe2\x80\x9cPlace the FEEBACS Back-end database host in an internally\naccessible only zone on the OSM intranet,\xe2\x80\x9d OSM will be investigating a number of options to further\nimprove the security of this system including putting it on a separate platform within our intranet. This\ninvestigation will be conducted along with our analysis of options to satisfy recommendation (c) above.\n\nApplication Logical Access\n\nOur audit determined that the OSM\xe2\x80\x99s access controls and security policies for applications need\nimprovement. For instance:\n\na)    Changes to the Advanced Budget/Accounting Control and Information System (ABACIS) database\n      are made using the \xe2\x80\x9cMGR\xe2\x80\x9d group account, rather than through individual accounts. The \xe2\x80\x9cMGR\xe2\x80\x9d\n      account is designated for application administration and is not to be used for nonadministrative\n      functions.\n\nb)    ABACIS system users that should not have access to the \xe2\x80\x9cMGR\xe2\x80\x9d account password improperly used\n      the group account.\n\nc)    Contrary to the OSM\xe2\x80\x99s policy, some changes made to data in the database were not supported by a\n      System Trouble Report (STR) form, which documents the nature and approval of the change.\n\nd)    Individual accounts have been assigned to execute ABACIS administration, however, the group\n      \xe2\x80\x9cMGR\xe2\x80\x9d account continues to be used.\n\ne)    OSM management has not developed a security plan for the Federal Personnel and Payroll System\n      (FPPS) application.\n\nf)    Access rights to the Hyperion application were active for an individual who had transferred from the\n      accounting department in August 2001. The individual no longer required access to Hyperion to\n      perform required job functions.\n\x0cWeak logical access controls increase the risk of unauthorized access to the application, which can result in\nloss, damage or theft of valuable information and/or resources. At a minimum, users can currently obtain\naccess to sensitive data and systems that are not commensurate with their job requirements. In the event of\nunauthorized access, timely generation and review of security logs could help ensure that security breaches\nare detected and the source of the breech identified, allowing management to act on violations.\n\nOSM has detailed policies and procedures governing logical security over the ABACIS application.\nAccording to OSM management, the importance of STR documentation, and use of only individual\naccounts has been emphasized, however, compliance with the policy has not been achieved.\n\nIt appears the above problems stem from a combination of factors including the need for additional logical\naccess policies, a lack of application security plans, and a lack of management oversight to ensure\ncompliance with current IT policies.\n\nRecommendation\n\nThe OSM should implement the following changes to improve access controls over its financial\napplications:\n\na)    Limit the use of group administration accounts and passwords for the ABACIS application.\n\nb)    Increase management oversight over making changes to the ABACIS database, (e.g., consider\n      performing random audits of database changes to ascertain compliance by OSM personnel).\n\nc)    Increase management oversight over the termination of access rights for transferred employees to\n      ensure that access rights are removed in a timely manner.\n\nIn addition, relative to FPPS and Hyperion, the OSM should direct and support the development and\nimplementation of security plans for these applications. Given FPPS and Hyperion are owned by the\nDepartment of the Interior, the security plans should address only those aspects relevant to the OSM.\nFurther, the OSM\xe2\x80\x99s security plans should incorporate guidance supplied by the Department.\n\nOSM Response\n\nThe OSM partially agrees with the above findings and recommendation and offers the following response.\n\nWith respect to item \xe2\x80\x9ca\xe2\x80\x9d under the Recommendation, the OSM limited knowledge of the group\nadministrator (MGR) User Id and password to 3 people (the primary administrator and 2 backups). This\nwas done in October of 2001. We feel that this is sufficient as it provides an acceptable level of control\nover the use of the group administrator (User Id) while allowing the OSM to maintain an acceptable\nbackup presence for the primary administrator. We recognize this as an acceptable level of risk in our risk\nanalysis for the Hewlett-Packard server.\n\nRecommendation \xe2\x80\x9cb\xe2\x80\x9d calls for the OSM to increase management oversight over changes made to ABACIS\ndata and to consider implementing random audits of database changes to ascertain compliance with\nprocedures. The OSM already performs random audits of database changes. The system owners randomly\nrequest listings of database log files and review these log files. Whenever a change to data using\nNMQUERY is noted in the log files, the system owners request a supporting System Trouble Report (STR)\nfor documenting the change. The OSM will continue this process and continue to refine the procedure in\norder to eliminate any future occurrences of undocumented data changes.\n\x0cItem \xe2\x80\x9cc\xe2\x80\x9d, the Hyperion access condition involves a DFM employee who had been transferred from one\nteam to another within the DFM. This individual is a current DFM employee. While it is true that the\nemployee had a user ID for the Hyperion application, the employee never had credentials for the National\nBusiness Center's (NBC) citrix server that houses the Hyperion application. Since fiscal year 2000,\nHyperion users must first log into the citrix server and then log into the Hyperion application. Under this\nscenario, the employee could never have accessed the application without the proper server credentials.\nThe employee\xe2\x80\x99s user ID has since been removed from the application.\n\nWith regard to the need for security plans for FPPS and Hyperion, the DFM will obtain sample security\nplans for these systems from another bureau within the Department of the Interior. We will then modify\nthese plans to our particular use of the departmental systems.\n\nSystem Software\n\nThe OSM\xe2\x80\x99s DFM has not developed policies to help ensure the proper monitoring of, access to, and use of\nits operating system software.\n\nControls over access to the operating system software are essential in providing reasonable assurance that\nsystem-based security controls are not compromised. If related personnel policies for system access\ncontrols are not adequate, there is a risk that untrustworthy and untrained individuals may have unrestricted\naccess to software code, terminated employees may have the opportunity to compromise systems, and\nunauthorized actions may not be detected.\n\nIt appears the OSM has not emphasized the development of polices and procedures governing access to\nand monitoring of operating system software, as they rely on the expertise of the IT department staff and\nthe limited number of individuals with access to system software.\n\nRecommendation\n\nThe OSM\xe2\x80\x99s DFM management should develop and implement formal policies and procedures to monitor\nthe access to and use of its system software and utilities.\n\nOSM Response\n\nManagement requires each platform administrator to remain current on required patches and upgrades for\ntheir areas of responsibility. This is a monthly requirement of our Quality Assurance Program that is\nmonitored by our IT Site Security Officer. It is important to note that due to the rapid implementation of\npatches and upgrades by the systems staff, the DFM computer environment has not been successfully\nhacked since the implementation of our rigorous program of maintaining systems at the manufacturers\xe2\x80\x99\nrecommended release level. Each upgrade to the system comes with explicit instructions from Hewlett\nPackard (HP), SUN or Microsoft for their appropriate platforms. A consulting firm performs the SUN\nupgrades. Hewlett Packard is under contract to supply appropriate upgrades and fixes to the HP operating\nsystem, including written procedures for implementation. A DFM system administrator performs the NT\nserver patches and upgrades by following Microsoft written and computerized procedures. During the past\nyear the DFM has enhanced the procedures in its Quality Assurance Log book for identifying and\nimplementing upgrades, patches, and updates to system software.\n\nTo address the above condition, the DFM has added three management approval checkpoints to the process\nin order to improve management oversight. The first is a pre-implementation checkpoint where the system\nadministrator will fully explain the update and the reasons for the update to the Team Leader and Financial\nand Administrative Systems Team. If a particular update is deemed not necessary, this will be indicated in\nthe Quality Assurance Log as well. Once approved by the Team Leader in the Quality Assurance Log, the\n\x0csystem administrator will schedule and apply the update. At the end of the procedure an additional signoff\nwill occur where the system administrator \xe2\x80\x9ccloses out\xe2\x80\x9d the process with the Team Leader. The new\nprocedure is as follows:\n\nProcedure for upgrading server system software:\n\n1.    Review the present patches or upgrades to the operating system or software.\n\n2.    Read all the documentation associated with the patch or upgrade and determine if it is appropriate for\n      implementation.\n\n      If a patch or upgrade is not considered necessary for implementation, provide a short narrative as to\n      why it is not considered necessary and obtain the concurrence of the Team Leader, Financial and\n      Administrative Systems Team (FAST).\n\n      If a patch or upgrade is considered necessary for implementation, the change must be discussed with\n      the Financial and Administrative Systems Team Leader and must have their signed approval prior to\n      proceeding with the implementation.\n\n3.    Once a patch or upgrade has been evaluated and the decision has been made to implement, develop\n      and document an implementation plan/schedule. This might include the scheduling of contract\n      vendors or scheduling of computer/host down time.\n\n4.    Document how and when the change was implemented.\n\n5.    Once the change has been completely implemented, the change is discussed with the Financial and\n      Administrative Team Leader and an approval is required to closeout the upgrade process.\n\nProgress On Prior Year Management Letter Recommendations\n\nThe following is a summary of the implementation status of prior year management letter comments.\n\n                     Comment                                                  Status\n\n\n\nInformation Technology Contingency Plan \xe2\x80\x93 The           Implemented. Our fiscal year 2002 audit did not\nOSM\xe2\x80\x99s DFM has not performed sufficient testing          identify instances of a lack of testing of the OSM\nof its business continuity plan to ensure its ability   business continuity plan.\nto fully restore critical systems and data in the\nevent of a significant business interruption.\n\x0c                    Comment                                                 Status\n\n\n\nInformation Technology Change Control \xe2\x80\x93 The           Implemented. Our fiscal year 2002 audit did not\nOSM had not properly documented changes made          identify instances of undocumented changes\nto ABACIS. Further, the OSM\xe2\x80\x99s change control          made to ABICAS or a lack of policies and\nmethodology does not include policies and             procedures governing application software\nprocedures governing application software             libraries.\nlibraries, including labeling and/or maintaining an\ninventory of programs.\n\n\n\nInformation Technology Logical Access \xe2\x80\x93 The           Partially Implemented. Our fiscal year 2002\nOSM needed to improve certain aspects of logical      audit found the OSM had made some\naccess for applications owned or used by DFM.         improvements in controls over logical access;\n                                                      however, our audit still found areas of inadequate\n                                                      controls, as discussed above under application\n                                                      logical access.\n\n\n\nInformation Systems Software \xe2\x80\x93 The OSM had            Partially Implemented. Our fiscal year 2002\nnot developed policies to help ensure the proper      audit found the OSM had made improvements in\nmonitoring of, access to and use of operating         developing policies and procedures for\nsystem software. Further, OSM had not                 controlling changes to its operating system\ndeveloped formal policies and procedures for          software. However, the OSM\xe2\x80\x99s DFM has not\ncontrolling changes to its operating system           developed policies to help ensure the proper\nsoftware.                                             monitoring of, access to, and use of its operating\n                                                      system software. This outstanding issue is\n                                                      discussed above under the system software\n                                                      comment.\n\n\n\nInvestment Policies \xe2\x80\x93 The OSM had not                 Implemented. Our fiscal year 2002 audit did not\nconsistently followed its internal investment         identify instances of a lack of adherence to\npolicies. It was recommended the OSM improve          internal investment policies.\nits procedures to ensure compliance with its own\ninvestment policies.\n\x0c                    Comment                                                     Status\n\n\n\nApproval of Grant Obligations \xe2\x80\x93 The OSM had               Implemented. Our fiscal year 2002 audit did not\nnot consistently documented its approval for              identify instances of a lack of approval for\nestablishing grant obligations. It was                    establishing grant obligations.\nrecommended the OSM improve its procedures to\nensure compliance with its internal grant\nobligation control guidance listed in its Federal\nAssistance Manual.\n\n\n\nDe-obligating Funds \xe2\x80\x93 The OSM had not                     Implemented. Our fiscal year 2002 audit did not\nimplemented effective procedures to ensure all            identify any significant inactive undelivered\ninactive undelivered orders were de-obligated in a        orders that were not de-obligated in a timely\ntimely manner. It was recommended the OSM                 manner.\nperform a thorough review of all unliquidated\nobligations and de-obligate invalid undelivered\norders in a timely manner throughout the year.\n\n.\n\nUnauthorized Credit Card Use \xe2\x80\x93 The OSM did                Implemented. Our fiscal year 2002 audit did not\nnot have adequate procedures to ensure credit             identify instances of unauthorized credit card use.\ncards were used only by the cardholder identified\non the card. It was recommended the OSM\nimprove its credit card review procedures.\n\n\n\n\n                                                 *******\n\nOur audit procedures are designed to enable us to form an opinion on the financial statements, and\ntherefore may not bring to light all weaknesses in policies or procedures that may exist. We aim, however,\nto use our knowledge of the OSM gained during our work to make comments and suggestions that we hope\nwill be useful to you.\n\nWe will be pleased to discuss with you in more detail any of the matters referred to in this letter.\n\nThis letter is intended for the information and use of the OSM and Department of the Interior\xe2\x80\x99s\nmanagement, Department of the Interior\xe2\x80\x99s Office of the Inspector General, the U.S. Office of Management\nand Budget (OMB), and the U.S. Congress, and is not intended to be and should not be used by anyone\nother than these specified parties.\n\nVery truly yours,\n\x0c"